Discussion

The MS02-015 patch by Microsoft seemed to fix the Codebase Localpath Command Execution vulnerability.
It sure seemed like none of the examples provided by the security community worked anymore.
However, testing these examples from locally residing HTML files proved that Microsoft had merely removed symptoms
instead of fixing the problem.
How did MS02-015 fix the problem?
Simple, it disallowed the codebase file execution ability from non-local zones (HTTP://).
Why is this bad?
Even when you are running HTML files from your local harddrive, the pages are still sandboxed.
Trying to automate ActiveX components that can tamper with the filesystem (Scripting.FileSystemObject)
or execute programs (WScript.Shell) is forbidden for HTML pages - in any default zone setting.
Only HTML Applications are allowed this level of access, as they are by definition unsafe HTML pages
that require the users explicit consent to run.
The mere fact that the Codebase command execution still works locally proves that it has escaped that sandbox model.
What should be done?
The codebase property references the file in which a COM object resides. Unconditionally executing that file is
bad and should simply be disabled.

However, there is one place where the programmer didn't take enough caution, line 187 contains (comments added to explain the code):

// Expected to return an array of <link> elements.
// theDocument variable used in this line is the document property of the
// argument sent to the dialog, an expected window object.
links = theDocument.all.tags("link");

// Sends the array for inspection by another function
retVal = checkLinkReadyStateComplete(links, reportLocation);